As stated in our previous blogs, phishing messages rely on social engineering. These emails provide a veil of lies so emails/links/attachments seem to come from people you know or legitimate organizations such as a government entities, your bank, or other well-known establishments. Keep in mind, imitation of these institutions runs rampant as “disguise” is the common denominator amongst all phishing attacks. So how do you protect yourself, and furthermore, your organization?
When it comes to phishing attempts, detection is key. The most important rule when it comes to protecting your personal information, is to never give your data by email or phone. Banks, companies, or government entities will never ask for credit card or financial information by email or phone. If you receive a phone call wherein personal information is requested, it is best for you to discontinue the conversation, and initiate a phone call to the institution yourself—verifying the request (note that the same should be done with any email requests for personal information). Protect yourself from becoming a phishing statistic.
- If you receive an email that seems suspicious, contact the source directly through a new email—do not simply hit ‘reply’.
- Check the spelling of any URLS that appear in email. Look for minor misspellings, a one-off word, or a non-https prefix.
- Be aware of URL redirects where you are sent to an entirely different website with an identical design.
- Do not open attachments from any unsolicited email.
- Do not provide personal or confidential information to anyone over the phone or through email.
- Keep your browser updated, and be sure to apply the latest security patches.
- Get free credit monitoring to protect yourself further from ID theft. Many services will monitor all three bureaus.
Perhaps the most important rule: Be aware. If you suspect that you are a victim of phishing, immediately change all of your passwords.
So now YOU’RE safe, but what about your company? Where do you begin? The answer: At the top. Company culture is the most important thing when it comes to protecting your organization, and in order to do so, you need to think like a cybercriminal.
Think like a Criminal
Thanks to advancing knowledge in cybersecurity, most workplaces do a great job of protecting employees from phishing attacks. However, as much as we advance, so do the cyber criminals. As we up our game, so do they. And in order to get around our more robust gateways, they build more targeted attacks—finding any threat vector they can to get inside. When protecting anything of value, you need to both understand risk and take a degree of risk. And when it comes to protecting your organization and safeguarding against cybercriminals’ tactics, you need to think like them.
To understand the attackers, look to understand their methods. Ask yourself what motive they may have to attack your organization. What data cannot be replaced nor modified? What information do you have that is of a highly competitive nature? Those items are most likely the targets of malicious activity, and therefore, those are the areas that require the greatest protection.
When thinking about phishing attacks, we need to take into consideration our threat vectors, and more importantly, the entire attack surface. As there are multiple threats within a single threat vector, you must assess the number of threat vectors that your company, and each employee, has. Employee email accessed through their company-assigned laptop isn’t the only way a phishing email is going to get through.
We live in an ever-connected world, so you have to take into account mobile devices. In fact, mobile device users are at a higher risk of phishing attacks, as most devices are not protected by corporate network defenses. Smaller screens on mobile devices also may make it more difficult to notice the signs of a phishing attempt, as URLs are truncated, and the smaller layout can hide additional clues.
Security awareness for all employees is key when it comes to protecting against phishing attacks. Employees should be trained on how a cybercriminal may structure the attack, examples on how URLs and websites can easily be faked, and an incident response protocol so they know how to react if a suspicious email is received. All main threat vectors and threat types should be discussed. As part of this education, ensure that employees are shown real-world examples of such attacks, so that they will recognize the telltale signs of phishing.
Everyone at the organization needs to work as a team to protect themselves. Ensure there is a system in place to report any malicious emails, and help employees to understand the importance of reporting those emails. If they simply delete the email, it helps no one.
It is imperative that organizations develop a multi-layered security approach that utilizes both people—and technology-based strategies.